[119325] in North American Network Operators' Group
Re: AH is pretty useless and perhaps should be deprecated
daemon@ATHENA.MIT.EDU (Merike Kaeo)
Sat Nov 14 00:10:07 2009
In-Reply-To: <185296339-1258168066-cardhu_decombobulator_blackberry.rim.net-399891495-@bda772.bisx.prod.on.blackberry>
From: Merike Kaeo <kaeo@merike.com>
Date: Fri, 13 Nov 2009 21:09:42 -0800
To: sfouant@shortestpathfirst.net
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
If I recall correctly what an implementor once told me, the work
involved in taking the fields that are immutable, then hashing
packet, then sticking those immutable fields back in is actually more
work than encrypting. Surprised me at the time but seems to be the
case.
- merike
On Nov 13, 2009, at 7:09 PM, sfouant@shortestpathfirst.net wrote:
> I've seen some vendor implementations in which ESP actually
> outperformed AH during performance testing... go figure...
>
> Stefan Fouant
> ------Original Message------
> From: Jack Kohn
> To: nanog@nanog.org
> Subject: AH is pretty useless and perhaps should be deprecated
> Sent: Nov 13, 2009 7:22 PM
>
> Hi,
>
> Interesting discussion on the utility of Authentication Header (AH) in
> IPSecME WG.
>
> http://www.ietf.org/mail-archive/web/ipsec/current/msg05026.html
>
> Post explaining that AH even though protecting the source and
> destination IP addresses is really not good enough.
>
> http://www.ietf.org/mail-archive/web/ipsec/current/msg05056.html
>
> What do folks feel? Do they see themselves using AH in the future?
> IMO, ESP and WESP are good enough and we dont need to support AH any
> more ..
>
> Jack
>
>
>
> Sent from my Verizon Wireless BlackBerry
>
